iTnews

Kiwi pen tester hacks Hollywood

By James Hutchinson on Nov 21, 2011 12:45PM
Kiwi pen tester hacks Hollywood

Vulnerabilities in every part of the video editing process.

A New Zealand penetration tester has found video editing software vulnerabilities that could allow malicious hackers to inject frames in major Hollywood films.

Motivated by a colleague's attempt to assess vulnerabilities in scientific software, Nick Freeman told iTnews he began dissecting software used in the gamut of process for some of Hollywood's most popular films - from script writing to post-production - find their vulnerabilities.

The pen tester, who works for Dimension Data subsidiary Security-Assessment.com in Auckland, found that although no single software vendor controls the end-to-end process of film-making, "every part of the process has software that is vulnerable".

He found most software fell to vulnerabilities within six hours of installation, with only a few test subjects managing to avoid complete failure.

Once a vulnerability was found, Freeman contacted relevant engineers and executives at the companies to notify them of the bug and provide help on fixing the vulnerability. He scored them based on their helpfulness and willingness to help.

But worst of the lot was also one of the biggest.

Nick Freeman ranked non-linear editing software vendor Avid the worst of the bunch in addressing and fixing vulnerabilities.

Avid software was used in several major films including Iron Man 2, Avatar and Star Trek. Freeman was able to compromise a vulnerability in a recent version of its Media Composer suite within an hour of installation.

Freeman discovered a remote listening service in the editing software allowed him to overflow network requests, crashing the software.

While the vulnerability itself was not necessarily important, he said ensuing discussions with the vendor - one of the few tested to have a dedicated security team - proved fruitless.

"It was far too easy to exploit," he said.

"There have been two updates since then but the vulnerabilities are still there. I don't know if they'll ever get around to patching it."

None of Freeman's exploits were available to a remote user but it is believed similar bugs have been used in recent years to gain access to film footage prior to release.

Most were exploitable due to "fundamental programming issues that have been around for a long time".

"The first tutorials on how to exploit these things came out in the 90s - this is nothing new," Freeman said.

"The vendor's main goal I guess is to have products with extensive functionality and with strict deadlines, and security falls off the road map in the process."

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
avidhollywoodsecuritysoftware

Partner Content

How a 'micro data centre' enables your business, your way
Promoted Content How a 'micro data centre' enables your business, your way
Vast majority of surveyed firms still rely on password authentication
Promoted Content Vast majority of surveyed firms still rely on password authentication
Top 5 Benefits of Managed IT Services
Promoted Content Top 5 Benefits of Managed IT Services
Alienated from your own data? You’re not alone
Promoted Content Alienated from your own data? You’re not alone

Sponsored Whitepapers

Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership
Don’t pay the ransom: A three-step guide to ransomware protection
Don’t pay the ransom: A three-step guide to ransomware protection

Events

  • iTnews Benchmark Awards 2022 - Finalist Showcase
  • 11th Annual Fraud Prevention Summit 2022
  • IoT Impact Conference
  • Cyber Security for Government Summit
By James Hutchinson
Nov 21 2011
12:45PM
0 Comments

Related Articles

  • Clean Energy Regulator swaps Fujitsu for Digital61
  • Tasmanians to get a single government identifier
  • Service NSW shortlists face matching tech for identity verification
  • OCR Labs upgrades gov digital ID accreditation
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Kmart Australia stands up consent-as-a-service platform

Kmart Australia stands up consent-as-a-service platform

NSW digital driver's licences 'easily forgeable'

NSW digital driver's licences 'easily forgeable'

Kmart Australia re-platforms ecommerce site to AWS

Kmart Australia re-platforms ecommerce site to AWS

NBN Co's 250Mbps and gigabit growth is finally clear

NBN Co's 250Mbps and gigabit growth is finally clear

Digital Nation

Metaverse hype will transition into new business models by mid decade: Gartner
Metaverse hype will transition into new business models by mid decade: Gartner
The other ‘CTO’: The emerging role of the chief transformation officer
The other ‘CTO’: The emerging role of the chief transformation officer
COVER STORY: From cost control to customer fanatics, AI is transforming the contact centre
COVER STORY: From cost control to customer fanatics, AI is transforming the contact centre
Case Study: PlayHQ leverages graph technologies for sports administration
Case Study: PlayHQ leverages graph technologies for sports administration
As NFTs gain traction, businesses start taking early bets
As NFTs gain traction, businesses start taking early bets
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.